Our insight arising from Privacy Shield updates over the past few months.

The EU Commissioner for Justice, Věra Jourová, has confirmed that the annual review into the operation of the EU-US Privacy Shield will take place in September 2017. The Commissioner emphasised that the key elements of the Privacy Shield must remain in place, particularly considering governmental access for national security reasons. The EU Commission has been requested to review bulk collection programmes and their proportionality, monitor compliance with deleting EU personal data where it is no longer necessary for the purpose for which it was collected, and ensure the Privacy Shield reflects the GDPR.

The European Parliament has adopted a resolution on the Adequacy of the Protection afforded by the EU-US Privacy Shield, which highlights the lack of clarity on the Privacy Shield arrangements by the US administration. President Trump’s Executive Order of 25 January 2017 entitled “Enhancing public safety in the Interior of the US” excludes foreign citizens from protection under the US Privacy Act and the US administration’s letters of assurance do not demonstrate effective rights of redress. The resolution urges the Commission to investigate the consequences of this Executive Order and EU citizen’s rights where their personal data is transferred to the US and used by government agencies under the Privacy Shield.

A copy of the resolution can be accessed here.

Members of the European Parliament have also raised fresh concerns about the Privacy Shield and have called on the Commission to ensure full compliance with the GDPR following the annual review, and that the US commitments to the Privacy Shield will be maintained by the new US administration.

Finally, WP29 has published a Privacy Shield Ombudsman request form, to deal with concerns regarding access to EU personal data by the national intelligence authorities in the US. This marks a significant difference from the Safe Harbour regime where EU citizens did not have rights of recourse against the US entities processing their personal data.

A copy of the form can be accessed here.